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DETAILED ACTION 

1 . This office action is in response to communications filed on 12/1 8/2007. Finality of the 
previous office action is withdrawn (please see response to arguments below), and subsequently this 
office action is made FINAL. 

2. Claims 1- 4, 6-13, 15-22 and 24-27 have been presented for examination. 

3. Claims 1- 4, 6-13, 15-22 and 24-27 have been rejected. 

Response to Arguments 

4. The applicant's arguments regarding the previous 35 USC 103(a) type rejections are fully 
considered, however, these arguments are moot in view of newly found ground of rejection (please 
see below for detail). 

5. In response to the applicant's arguments that previous 35 USC 103(a) type rejections in view 
of commonly owned reference Hinton et al was improper, the examiner withdraws previews 35 
USC 103 (a) type rejections in view of reference Hinton et al . However, the examiner notes, since 
Hinton et al reference is properly qualify for 35 USC 102 (e) type reference, Hinton et al is used to 
reject independent claims 1,10 and 19 in this office action under 35 USC 102 (e) (please see the 
office action below) 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 



(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that 
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the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

6. Claims 1- 4, 6-13, 15-22 and 24-27 are rejected under 35 USC 103 (a) as being unpatentable 
over Wood et al (US 6668322 Bl) in view of Low et al ( US 6996605 B2) further in view of 
Martherus et al (US 7194764B2) 

Regarding claim 1 and 19, Wood et al discloses a method/ system for managing multiple 
user identities for a user of an electronic commerce (e-commerce) site, the method comprising: 

defining the e-commerce site as a plurality of security domains (Col 13, lines 1-20; Col 15, 
starting at line 9; security architecture; controlling access to several/ multi level domains); and 

in response to a user's request to invoke an operation of the e-commerce site: 

determining a security domain of the plurality of security domains to which the operation 
relates (Fig 4.410: domainld; Col 13, lines 1-20; Col 15, starting at line 9; Col 16, starting at line 35; 
session credentials/ tokens for persistent/ subsequent sessions; accessing resources in several/ multi 
level domains) ; and 

reusing the session for the user automatically in accordance with the determined security 
domain, the selected session being associated with a user identity and a role, the user identity and 
role together indicating privileges for invoking operations of the e-commerce site in at least the 
determined security domain; and persisting said session for reuse (Col 11, starting at line 11; Col 16, 
starting at line 50; session creation; Col 8, starting at line 9; Col 13, starting at line 5; Col 15, starting 
at line 8; Col 16, starting at line 35; Claim 1,12; session credentials/ tokens for persistent/ subsequent 
sessions). 
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Wood et al fails to disclose selecting a session from a plurality of sessions persisted for the 
user based on the determined security domain. 

However, Low et al discloses selecting a session from a plurality of sessions persisted for the 
user (Col 2, line 6 -42; Col 13, line 15-67; Claims 1-13; user selecting a session to join from 
plurality of sessions), and 

Martherus et al discloses selecting a session persisted for the user based on the determined 
security domain ( Col 2, line 1-40; Col 8, line 40-67; Claims 1-36; need not to re-authenticate the 
user in second domain; persisted sessions in multiple domains ). Martherus et al further discloses 
the selected session being associated with a user identity and a role, the user identity and role 
together indicating privileges for invoking operations of the e-commerce site in at least the 
determined security domain (Col 2, line 1-40; Col 8, line 40-67; Claims 1-36). 

Martherus et al , Low et al and Wood et al are analogous art because they are from the 
same field of endeavor of session management. At the time of invention it would have been obvious 
to a person of ordinary skill in the art to combine the teaching of Martherus et al or Low et al with 
Wood et al to design a method further comprising the step of selecting a session from a plurality of 
sessions persisted for the user based on the determined security domain in order to provide user with 
multiple session access. 

Regarding claim 10, it is rejected applying as above rejecting claim 1, furthermore, Wood et 
al discloses a computer readable medium tangibly embodying computer executable code for 
managing multiple user identities for a user of an electronic commerce (e-commerce) site defined 



Application/Control Number: 10/727,322 Page 5 

Art Unit: 2135 

using the plurality of security domains, wherein the computer executable code, when executed on a 
computing device , causes the computing device to: 

in response to a user's request to invoke an operation of the e-commerce site (Fig 2; 
operations after step 201: access requests; Col 6, line 44-56; Col 15, starting at line 8; handling 
access requests; resource identification): 

determining a security domain of the plurality of the security domains to which the operation 
relates (Fig 4.410: domainld; Col 13, lines 1-20; Col 15, starting at line 9; accessing resources in 
several/ multi level domains); 

reusing the session for the user automatically in accordance with the determined security 
domain, the selected session being associated with a user identity and a role, the user identity and 
role together indicating privileges for invoking operations of the e-commerce site in at least the 
determined security domain; and persisting said session for reuse (Col 11, starting at line 11; Col 16, 
starting at line 50; session creation; Col 8, starting at line 9; Col 13, starting at line 5; Col 15, starting 
at line 8; Col 16, starting at line 35; Claim 1,12; session credentials/ tokens for persistent/ subsequent 
sessions). 

Wood et al fails to disclose selecting a session from a plurality of sessions persisted for the 
user based on the determined security domain. 

However, Low et al discloses selecting a session from a plurality of sessions persisted for the 
user (Col 2, line 6 -42; Col 13, line 15-67; Claims 1-13; user selecting a session to join from 
plurality of sessions), and 
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Martherus et al discloses selecting a session persisted for the user based on the determined 
security domain ( Col 2, line 1-40; Col 8, line 40-67; Claims 1-36; need not to re-authenticate the 
user in second domain; persisted sessions in multiple domains ). Martherus et al further discloses 
the selected session being associated with a user identity and a role, the user identity and role 
together indicating privileges for invoking operations of the e-commerce site in at least the 
determined security domain (Col 2, line 1-40; Col 8, line 40-67; Claims 1-36). 

Regarding claim 2, it is rejected applying as above rejecting claim 1, furthermore, Wood et 
al discloses the method comprising invoking the requested operation with the user identity and the 
role of the selected session (Col 10, starting at line 63; Col 16, starting at line 35, session objects; 
access requests). 

Furthermore, Martherus et al discloses invoking the requested operation with the user 
identity and the role of the selected session (Col 2, line 1-40; Col 8, line 40-67; Claims 1-36; user 
authentication based on identity and roles for persisted sessions in multiple domains). 

Regarding claim 3, it is rejected applying as above rejecting claim 2, furthermore, Wood et 
al discloses the method wherein the selected session comprises information indicating at least one of: 
the user preference's for invoking operations at the e-commerce site; the user's preferences for 
invoking operations at least the determined security domain (Col 12, starts at line 66; Col 15, 
starting at line 9; resource identification: session tokens for several domains); and a security 
signature for authenticating the selected session information (Col 14, starting at line 60; assigning 
signed/ cryptographically secured session credentials for different sessions/ domains). 
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Furthermore, Martherus et al discloses the user preference's for invoking operations at the 
e-commerce site; the user's preferences for invoking operations at least the determined security 
domain (Col 2, line 1- 67; Col 8, line 40-67; Claims 1-36; determining user's resource requests in 
multiple domains). 

Regarding claim 4, it is rejected applying as above rejecting claim 1, furthermore, Wood et 
al discloses the method comprising evaluating the requested operation to determine an operation 
type and wherein said step of performing is performed in accordance with the operation type (Col 
15, starting at line 9; accessing requested resources). 

Regarding claim 6, it is rejected applying as above rejecting claim 4, furthermore, Wood et 
al discloses the method wherein the user identity is associated with an identity type for permitting 
the invocation of operations; wherein said method comprises receiving the user's request in 
association with the plurality of sessions persisted for the user and retrieving a user identity for the 
determined security domain from said plurality of sessions; and wherein said performing is 
performed in response to the identity type of the retrieved user identity (Col 3, starting at line 1; Col 
10, starting at line 48; Col 16, starting at line 35; Claim 1,12; session credentials/ tokens for 
persistent/ subsequent sessions; Claims 1,12; session credential including user identifying 
information; session continuity; requests). 
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Regarding claim 7, Wood et al discloses the method wherein said step of persisting 
comprises providing one or more cookies defining the session to the user for associating with a 
subsequent request (Col 8, starting at line 9; Col 13, starting at line 5; Col 15, starting at line 8; Col 
16, starting at line 35; session credentials/ cookies/ tokens for persistent/ subsequent sessions). 

Regarding claim 8, Wood et al discloses the method wherein the cookies comprise an 
authentication cookie and a session cookie; and wherein the method comprises authenticating the 
user's request (Fig 4.410, 420; encrypted login and session credentials/ cookie; Col 9 lines 6-15; Col 
14, starting at line 21; claim 23, 24; multiple secured credentials ). 

Regarding claim 9, Wood et al discloses the method comprising: defining each of the one or 
more security domains as a hierarchy of organizations and assets owned by the organizations; and 
wherein said determining the security domain of the plurality of the security domains to which the 
operation relates comprises evaluating the user's request in accordance with the hierarchy (Col 15, 
starting at line 8; domain level credentials). 

Furthermore, Martherus et al discloses defining each of the one or more security domains 
as a hierarchy of organizations and assets owned by the organizations; and wherein said determining 
the security domain of the plurality of the security domains to which the operation relates comprises 
evaluating the user's request in accordance with the hierarchy (Col 2, line 1- 67; Col 8, line 40- 
67;Claims 1-36) 

Regarding claim 20, Wood et al discloses the system wherein the identity manager 
component is adapted to invoke said requested operation with said user identity and role of the 
session (Fig 1: Gatekeeper; Fig 3A:321, central security architecture). 
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Regarding claims 11-13 and 15-18, they recite the limitations of claims 1-10, therefore, they 
are rejected applying as above rejecting claims 1-10. 

Regarding claims 21-22 and 24-27, they recite the limitations of claims 1-10 and 20, 
therefore, they are rejected applying as above rejecting claims 1-10 and 20. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the 
rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed in 
the United States before the invention by the applicant for patent or (2) a patent granted on an application for patent 
by another filed in the United States before the invention by the applicant for patent, except that an international 
application filed under the treaty defined in section 351(a) shall have the effects for purposes of this subsection of an 
application filed in the United States only if the international application designated the United States and was 
published under Article 21(2) of such treaty in the English language. 

7. Claims 1,10 and 19 are further rejected under 35 USC 102 (e) as being anticipated by 
Hinton et al (US 6993596 B2) 

Regarding claims 1 , 10 and 19, Hinton et al teaches a method/ medium/ system for 
managing multiple user identities for a user of an electronic commerce (e-commerce) site, the 
method/ medium/ system comprising: 

defining the e-commerce site as a plurality of security domains ( Col 1, line 62- Col 2, line 
67; Col 10, starts at line 36; Claims 1-9; plurality of security server domains); and 

in response to a user's request to invoke an operation of the e-commerce site: 

determining a security domain of the plurality of security domains to which the operation 
relates (Col 1, line 62- Col 2, line 67; Col 10, starts at line 36; Claims 1-9 ) ; 
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selecting a session from a plurality of sessions persisted for the user based on the determined 
security domain (Col 1, line 62- Col 3, line 35; Col 10, starts at line 36; Claims 1-9; enrolling/ 
selecting sessions persisted in cross domains) ; and 

reusing the session for the user automatically in accordance with the determined security 
domain (Col 1, line 62- Col 3, line 35; Col 10, starts at line 36; Claims 1-9; vouching the session 
credentials in security domains), the selected session being associated with a user identity and a 
role, the user identity and role together indicating privileges for invoking operations of the e- 
commerce site in at least the determined security domain (Col 1 , line 62- Col 3, line 35; Col 10, 
starts at line 36; Col 16, lines 1-50; Claims 1-9; session being associated with a user identity and a 
role; vouching the session credentials/ cookies in security domains) 

Hinton ct al further teaches an identity manager component configured to, in response to a 
user's request to invoke an operation of the e-commerce site ( Col 4, starts at line 35; Col 7, line 1- 
Col 9, line 67; Claims l-20user identity administrator/ manager) 

Conclusion 

7. Applicant's amendment (filed on 09/14/2007) necessitated the new ground(s) of rejection 
presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS 
from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the 
mailing date of this final action and the advisory action is not mailed until after the end of the 
THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the 
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date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be 
calculated from the mailing date of the advisory action. In no event, however, will the statutory 
period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Shanto M Z Abedin whose telephone number is 571-272-3551. The examiner 
can normally be reached on M-F from 9:00 AM to 5:30 PM. If attempts to reach the examiner by 
telephone are unsuccessful, the examiner's supervisor, Moazzami Nasser, can be reached on 571 - 
272-4195. The fax phone number for the organization where this application or proceeding is 
assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, 
contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Shanto M Z Abedin 

Examiner, AU2136 
/KIMYEN VU/ 

Supervisory Patent Examiner, Art Unit 2135 



